Growing Compatibility Issue: Computers and User Privacy

By JOHN MARKOFF

Published: March 3, 1999

SAN FRANCISCO, March 2—
The Intel Corporation recently blinked in a confrontation with privacy advocates protesting the company's plans to ship its newest generation of microprocessors with an embedded serial number that could be used to identify a computer -- and by extension, its user.

But those on each side of the dispute acknowledge that it was only an initial skirmish in a wider struggle. From computers to cellular phones to digital video players, everyday devices and software programs increasingly embed telltale identifying numbers that let them interact.

Whether such digital fingerprints constitute an imminent privacy threat or are simply part of the foundation of advanced computer systems and networks is the subject of a growing debate between the computer industry and privacy groups. At its heart is a fundamental disagreement over the role of electronic anonymity in a democratic society.

Privacy groups argue fiercely that the merger of computers and the Internet has brought the specter of a new surveillance society in which it will be difficult to find any device that cannot be traced to the user when it is used. But a growing alliance of computer industry executives, engineers, law enforcement officials and scholars contend that absolute anonymity is not only increasingly difficult to obtain technically, but is also a potential threat to democratic order because of the possibility of electronic crime and terrorism.

''You already have zero privacy -- get over it,'' Scott McNealy, chairman and chief executive of Sun Microsystems, said at a recent news conference held to introduce the company's newest software, known as Jini, intended to interconnect virtually all types of electronic devices from computers to cameras. Privacy advocates contend that software like Jini, which assigns an identification number to each device each time it connects to a network, could be misused as networks envelop almost everyone in society in a dense web of devices that see, hear, and monitor behavior and location.

''Once information becomes available for one purpose there is always pressure from other organizations to use it for their purposes,'' said Lauren Weinstein, editor of Privacy Forum, an on-line journal.

This week, a programmer in Massachusetts found that identifying numbers can easily be found in word processing and spreadsheet files created with Microsoft's popular Word and Excel programs and in the Windows 95 and 98 operating systems.

Moreover, unlike the Intel serial number, which the computer user can conceal, the numbers used by the Microsoft programs -- found in millions of personal computers -- cannot be controlled by the user.

The programmer, Richard M. Smith, president of Phar Lap Software, a developer of computer programming tools in Cambridge, Mass., noticed that the Windows operating system contains a unique registration number stored on each personal computer in a small data base known as the Windows registry.

His curiosity aroused, Mr. Smith investigated further and found that the number that uniquely identifies his computer to the network used in most office computing systems, known as the Ethernet, was routinely copied to each Microsoft Word or Excel document he created.

The number is used to create a longer number, known as a globally unique identifier. It is there, he said, to enable computer users to create sophisticated documents comprising word processing, spreadsheet, presentation and data base information.

Each of those components in a document needs a separate identity, and computer designers have found the Ethernet number a convenient and widely available identifier, he said. But such universal identifiers are of particular concern to privacy advocates because they could be used to compile information on individuals from many data bases.

''The infrastructure relies a lot on serial numbers,'' Mr. Smith said. ''We've let the genie out of the bottle.''

Jeff Ressler, a Microsoft product manager, said that if a computer did not have an Ethernet adaptor then another identifying number was generated that was likely to be unique. ''We need a big number which is a unique identifier,'' he said. ''If we didn't have, it would be impossible to make our software programs work together across networks.''

Indeed, an increasing range of technologies have provisions for identifying their users for either technical reasons (such as connecting to a network) or commercial ones (such as determining which ads to show to Web surfers). But engineers and network designers argue that identity information is a vital aspect of modern security design because it is necessary to authenticate an individual in a network, thereby preventing fraud or intrusion.

Last month at the introduction of Intel's powerful Pentium III chip, Intel executives showed more than a dozen data security uses for the serial number contained electronically in each of the chips, ranging from limiting access to protecting documents or software against piracy.

Intel, the largest chip maker, had recently backed down somewhat after it was challenged by privacy advocates over the identity feature, agreeing that at least some processors for the consumer market would be made in a way that requires the user to activate the feature.